A national survey of IT professionals tracked the frequency with which even tech savvy staff at companies were targeted by phishing emails.
According to HP TippingPoint, which sponsored the State of Network Security survey (PDF) released Wednesday, nearly 70 percent of IT professionals experienced phishing attacks – malicious emails disguised as legitimate correspondence via social engineering – at least one a week.
The study was conducted by global research practice Ipsos Observer last month, and encompasses the answers of 205 IT professionals across the United States.
Also underscored in the report were trends concerning data targeted in enterprise network attacks.
Sixty-seven percent of respondents said that, in the event of a network breach, customer data was the most likely to be sought by attackers. Also on hackers' radars was company financial information, which 63 percent of respondents said was likely to be attacked.
Jennifer Ellard, director of enterprise security products at HP TippingPoint, told SCMagazine.com that a layered security approach, which included security awareness training, was needed to thwart malware infections (and data theft) as a result of phishing.
Sandboxing technologies, for instance, can be used in conjunction with security awareness training, she explained, as enterprises “need an environment where malware can detonate and you can analyze it” before it impacts staff.
“Sandboxing works from a near-real time [detection] and forensics perspective,” she continued.
Last week, news surfaced that customers of JPMorgan Chase were the target of a massive phishing campaign, which leveraged phishing pages to collect credentials and also host the RIG exploit kit. RIG was capable of exploiting users' software vulnerabilities to spread Dyre malware, and at the time, roughly 500,000 phishing emails had been sent out to unsuspecting users, security firm Proofpoint revealed.
Saboteurs targeting enterprises, however, often go for a more targeted approach, known as spear phishing, combing through victims' publicly available information on social media networks, for instance, to personalize malicious emails or even strike at the most opportune time.
“Those targeted attacks are about 90 percent effective,” Ellard warned.